FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article explains Site-to-Site IPsec IKE and ESP traffic routing behavior when the tunnel is bound to a loopback interface where VPN cannot establish in asymmetric routing scenario.
Scope
FortiGate.
Solution
Background:
FortiOS IKE (IPsec phase1) and ESP (IPsec phase2) are separate sessions when nat-traversal is not enforced, therefore when IPsec VPN is bound to a loopback interface and there are redundant ISPs (ECMP), then by design IKE and ESP traffic could be asymmetric and follow different paths where inbound and outbound IKE traffic could be routed over different interfaces, on some implementations this asymmetric behavior could cause VPN tunnel fails to establish.
Solution:
Since v6.2.8, v6.4.9, v7.0.0, v7.2.0, v7.4.0 and 7.6.0 and upward, a new command ‘ loopback-asymroute’ was added to change this behavior, this CLI command is visible only when bound-interface is a loopback type:
config vpn ipsec phase1-interface
edit <name>
set interface <loopback interface name>
set loopback-asymroute {enable | disable} **
next
end
enable:(Default) Allow ingress/egress IKE traffic to be routed over different interfaces
disable: Ingress/egress IKE traffic must be routed over the same interface.
